8-14 Oracle Fusion Middleware Reference for Oracle Security Developer Tools

8.8.2.2 Enveloped Signature

To use an enveloped signature, add the enveloped signature transform to the reference. This means inserting the following code just before the code that adds the exclusive transform: XSAlgorithmIdentifier transform1 = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_envelopedSignature; ref.addTransformtransform1;

8.8.2.3 XPath Expression

To use an XPath expression instead of an ID-based reference, pass in an empty string instead of foo1 for the URI parameter of createReference, then add an XPath transform to the Reference as the first transform. String xpathExpr = ancestor-or-self:importantInfo; Element xpathElem = doc.createElementNSXMLURI.ns_dsig, dsig:XPath; xpathElem.appendChilddoc.createTextNodexpathExpr; XSAlgorithmIdentifier transform2 = new XSAlgorithmIdentifierdoc, Transform, XMLURI.alg_xpath; transform2.addParameterxpathElem; ref.addTransformtransform2;

8.8.2.4 Certificate Hint

If you do not want to include the entire certificate in the key info, but only a hint to the certificate, use the no-argument form of XSKeyInfo.createX509Data and call one of the methods X509Data.addIssuerSerial, addSubjectName, or addSubjectKeyID.

8.8.2.5 Sign with HMAC Key

TO sign with an HMAC key, instead of signing with an RSA or DSA private key, use the XSSignature.signbyte[] secret, String sigValueId method, and pass your HMAC key as the first argument. Also use a different kind of KeyInfo, such as a KeyName, by calling XSKeyInfo.createKeyName.

8.9 How to Verify Signatures with the Oracle XML Security API

This section explains how to verify signatures using the Oracle XML Security APIs.

8.9.1 Basic Procedure to Check What is Signed

To verify a signature, first locate the dsig:Signature element in your document, then use it to construct the XSSignature wrapper object. Element sigElem = … XSSignature sig = new XSSignaturesigElem; Next, fetch the KeyInfo of the signature and examine the key to determine if you trust the signer. There are different ways to deal with the KeyInfo: Oracle XML Security 8-15 ■ For very simple cases, you may already know the verification key in advance, and you do not need to look at the KeyInfo at all. ■ In most cases, however, you should look at the KeyInfo. One way is to set up callbacks, so when you call XSSignature.verify you call it with no verification key. Internally, the Oracle Security Developer Tools look at the KeyInfo to see if it invokes a callback to fetch the key. ■ The other option is to proactively look into the KeyInfo and determine the key yourself.

8.9.2 Set Up Callbacks

If the KeyInfo Contains the Signing Certificate If you expect the KeyInfo to contain the signing certificate, and you do not already have this certificate, but you have set up the trust points, you just need to set a certificate validator callback. Create your certificate validator CertificateValidator myValidator = new CertificateValidator { public void validateCertCertPath cp { Code to validate the certificate } }; KeyRetriever.setCertificateValidatormyValidator; The Oracle Security Developer Tools API retrieves the certificate from the KeyInfo and invokes your callback; if the callback returns true, it will verify with that certificate. If the KeyInfo Contains a Hint If you expect the KeyInfo to contain only a hint to the signing certificate, that is, the subjectDN or Issuer Serial or subject key identifier, write a KeyRetriever to fetch a certificate from a certificate store given this hint. If your certificate store is a keystore, a PKCS12 wallet, or a PKCS8 file, you can use one of the built-in retrievers for these types. These retrievers iterate through all the certificates in the keystore or Oracle wallet and find the one which matches the given subjectDNissuerSerial or SubjectKey. Load your keystore KeyStore ks = Set up a callback against this KeyStore KeyRetriever.addKeyRetriever new KeyStoreKeyRetrieverks, passwd;

8.9.3 Write a Custom Key Retriever